in this part in code : <https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/mixins/LiquidityMining.sol#L276C12-L290C2> is handle the claiming of rewards for liquidity mining. It calculates rewards based on the liquidity provided by a user, their position, and certain parameters like ambRewardPerWeek_ and overallTimeWeightedLiquidity, the problem is in the calculation of rewardsForWeek ,If overallTimeWeightedLiquidity becomes zero or very small, it could lead to a division by zero or a negligible reward, allowing attackers to potentially claim more rewards than they deserve.
An attacker could manipulate the overallTimeWeightedLiquidity value or orchestrate transactions in such a way that this value becomes extremely low. This would result in an inflated rewardsForWeek, allowing the attacker to claim more rewards than they should.
attacker deploys a smart contract called MaliciousContract, which interacts with the liquidity mining contract.
the MaliciousContract, the attacker sets up a function that triggers the liquidity calculation in the target contract.
contract MaliciousContract {
LiquidityMining targetContract; // The target liquidity mining contract
constructor(address _targetContract) {
targetContract = LiquidityMining(_targetContract);
}
function triggerRewardCalculation(address _user) public {
// Assume the attacker knows the user's position, pool, and week
bytes32 poolIdx = ...;
bytes32 posKey = ...;
uint32 week = ...;
// Manipulate overallTimeWeightedLiquidity to a very low value
targetContract.setOverallTimeWeightedLiquidity(poolIdx, week, 1); // Set it to a very low value
targetContract.claimAmbientRewards(_user, poolIdx, week); // Trigger the reward calculation
}
}
The attacker deploys MaliciousContract and calls triggerRewardCalculation with the target userβs address and the relevant parameters.
The target liquidity mining contract calculates rewardsForWeek using the manipulated overallTimeWeightedLiquidity, resulting in a much higher reward value than expected.
manual review
added a check to ensure that overallTimeWeightedLiquidity is greater than zero before calculating rewardsForWeek. If overallTimeWeightedLiquidity is zero or negative, the code can handle this situation
// Check if overallTimeWeightedLiquidity is greater than zero before calculating rewards
if (overallTimeWeightedLiquidity > 0) {
uint256 rewardsForWeek = (timeWeightedWeeklyPositionAmbLiquidity_[poolIdx][posKey][week] * ambRewardPerWeek_[poolIdx][week]) / overallTimeWeightedLiquidity;
rewardsToSend += rewardsForWeek;
} else {
// Handle the case where overallTimeWeightedLiquidity is zero or negative
// You may want to revert the transaction, emit an error event, or take other appropriate actions.
}
Other
The text was updated successfully, but these errors were encountered:
All reactions